Technical  Research  Report 


Negotiating  Access  Control  Policies  Between  Autonomous 
Domains 

by  Vijay  G.  Bharadwaj,  John  S.  Baras 


CSHCN  TR  2002-3 
(ISR  TR  2002-3) 


The  Center  for  Satellite  and  Hybrid  Communication  Networks  is  a  NASA-sponsored  Commercial  Space 
Center  also  supported  by  the  Department  of  Defense  (DOD),  industry,  the  State  of  Maryland,  the  University 
of  Maryland  and  the  Institute  for  Systems  Research.  This  document  is  a  technical  report  in  the  CSHCN 

series  originating  at  the  University  of  Maryland. 


Web  site  http://www.isr.umd.edu/CSHCN/ 


Report  Documentation  Page 

Form  Approved 

OMB  No.  0704-0188 

Public  reporting  burden  for  the  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  searching  existing  data  sources,  gathering  and 
maintaining  the  data  needed,  and  completing  and  reviewing  the  collection  of  information.  Send  comments  regarding  this  burden  estimate  or  any  other  aspect  of  this  collection  of  information, 
including  suggestions  for  reducing  this  burden,  to  Washington  Headquarters  Services,  Directorate  for  Information  Operations  and  Reports,  1215  Jefferson  Davis  Highway,  Suite  1204,  Arlington 

VA  22202-4302.  Respondents  should  be  aware  that  notwithstanding  any  other  provision  of  law,  no  person  shall  be  subject  to  a  penalty  for  failing  to  comply  with  a  collection  of  information  if  it 
does  not  display  a  currently  valid  OMB  control  number. 

1.  REPORT  DATE 

2QQ2  2.  REPORT  TYPE 

3.  DATES  COVERED 

4.  TITLE  AND  SUBTITLE 

Negotiating  Access  Control  policies  Between  Autonomous  Domains 

5a.  CONTRACT  NUMBER 

5b.  GRANT  NUMBER 

5c.  PROGRAM  ELEMENT  NUMBER 

6.  AUTHOR(S) 

5d.  PROJECT  NUMBER 

5e.  TASK  NUMBER 

5f.  WORK  UNIT  NUMBER 

7.  PERFORMING  ORGANIZATION  NAME(S)  AND  ADDRESS(ES) 

Defense  Advanced  Research  Projects  Agency, 3701  North  Fairfax 

Drive, Arlington, VA, 22203-1714 

8.  PERFORMING  ORGANIZATION 

REPORT  NUMBER 

9.  SPONSORING/MONITORING  AGENCY  NAME(S)  AND  ADDRESS(ES) 

10.  SPONSOR/MONITOR'S  ACRONYM(S) 

11.  SPONSOR/MONITOR'S  REPORT 
NUMBER(S) 

12.  DISTRIBUTION/AVAILABILITY  STATEMENT 

Approved  for  public  release;  distribution  unlimited 

13.  SUPPLEMENTARY  NOTES 

14.  ABSTRACT 

see  report 

15.  SUBJECT  TERMS 

16.  SECURITY  CLASSIFICATION  OF:  17.  LIMITATION  OF 

18.  NUMBER  19a.  NAME  OF 

a.  REPORT  b.  ABSTRACT  c.  THIS  PAGE 

unclassified  unclassified  unclassified 

8 

Standard  Form  298  (Rev.  8-98) 

Prescribed  by  ANSI  Std  Z39-18 


Negotiating  Access  Control  Policies  Between  Autonomous  Domains 


Vijay  G.  Bharadwaj  and  John  S.  Baras 
Institute  for  Systems  Research,  University  of  Maryland, 
College  Park  MD  20742,  USA. 

{vgb, barns}  @  umd.  edu 


Abstract 

Autonomous  policy  domains  often  need  to  share  resources 
to  accomplish  a  common  task.  To  do  this  they  must 
negotiate  a  common  access  control  policy  to  the  shared 
resources.  We  use  mathematical  techniques  from  game 
theory  to  show  that  the  outcome  of  such  negotiations  can 
often  be  predicted  from  the  distribution  of  power  among 
the  participants,  independent  of  the  actual  mechanics 
of  negotiation.  We  discuss  the  axiomatic  derivation  of 
some  game  theoretic  solution  concepts,  and  illustrate  our 
techniques  with  examples. 

1.  Introduction 

Online  collaboration  frequently  requires  two  or  more  au¬ 
tonomous  policy  domains  to  form  a  coalition  in  order  to 
share  data  or  other  resources  to  achieve  a  common  goal. 
Often,  the  collaboration  itself  may  generate  new  data  or 
resources,  and  these  must  also  be  shared.  Therefore  the 
domains  involved  must  negotiate  a  common  access  control 
policy  for  all  shared  resources.  Traditionally,  such  negotia¬ 
tions  have  been  carried  out  by  human  beings  meeting  in  per¬ 
son,  through  a  tedious  process  of  discussion  and  bargaining 
that  can  take  weeks  or  months  to  conclude.  In  many  situa¬ 
tions,  especially  when  the  collaboration  is  for  a  short  period 
of  time,  these  delays  are  unacceptable.  It  is  then  desirable 
to  speed  up  the  process  of  negotiation  by  automating  it. 

Previous  work  on  negotiation  either  assumes  that 
coalition  policies  are  agreed  upon  by  extra-technological 
means  [1],  or  treats  the  problem  in  the  context  of  client- 
server  networks  [2].  We  look  at  networks  with  multiple 
peer  domains,  all  of  whom  share  resources  with  each  other 
for  mutual  benefit.  Our  aim  is  to  automate  the  process  of 
policy  negotiation  in  such  networks,  so  that  it  can  be  car¬ 
ried  out  by  software  agents  (perhaps  residing  on  the  domain 
controllers)  with  limited  human  intervention. 

Conceptually,  when  negotiating  a  common  access  con¬ 
trol  policy,  the  domains  must  agree  on  two  things:  a  model 
and  a  set  of  rules  for  the  mechanisms  by  which  resources 


are  shared  (i.e.  the  policy  model  and  the  policy  model  inter¬ 
pretation),  and  which  resources  are  shared  and  with  whom 
(i.e.  the  access  state  of  the  coalition  under  the  access  con¬ 
trol  policy).  These  two  parts  are  related:  for  instance,  the 
access  state  must  be  compatible  with  the  properties  of  the 
agreed-upon  policy  model. 

Previous  work  [3]  has  explored  policy  definition  lan¬ 
guages  for  security  domains;  such  languages  can  also  be 
extended  to  describe  coalition  policies.  For  instance,  con¬ 
sider  a  coalition  in  which  all  domains  use  Role  Based  Ac¬ 
cess  Control  as  their  policy  model.  Each  domain  can  share 
its  resources  with  foreign  domains  by  enrolling  some  users 
from  the  foreign  domain  into  local  roles  with  access  to  the 
relevant  resources.  Another  approach  is  to  create  a  new  set 
of  roles  for  the  coalition,  then  give  these  new  roles  access 
to  the  shared  resources  and  enroll  local  and  foreign  users 
into  these  new  roles.  In  either  case,  languages  for  describ¬ 
ing  role-based  access  control  models  can  be  used  to  express 
coalition  policies  as  well.  Thus,  domains  in  a  negotiation 
can  communicate  their  security  policies  to  each  other,  and 
can  automatically  check  if  a  proposed  state  is  consistent 
with  the  policy. 

In  this  paper  we  look  at  the  negotiation  process  itself. 
We  start  by  postulating  some  desirable  properties  we  would 
like  the  negotiated  coalition  policy  to  have.  We  then  show 
that  these  properties  lead  naturally  to  certain  game  theoretic 
concepts,  and  to  algorithms  for  computing  them.  As  a  result 
we  can  characterize  the  likely  outcomes  of  policy  negotia¬ 
tion  and  provide  methods  to  compute  these  outcomes. 

Our  results  show  that  the  outcome  of  a  negotiation  is 
often  determined  by  the  distribution  of  power  among  the 
participants  rather  than  by  the  details  of  how  the  negotia¬ 
tion  proceeds.  The  power  of  a  domain  in  a  negotiation  is 
its  ability  to  help  or  hurt  the  other  domains  by  cooperating 
with  them  or  refusing  to  do  so.  The  language  of  game  the¬ 
ory  allows  us  to  frame  these  properties  in  a  precise  manner, 
and  gives  us  the  mathematical  tools  to  predict  the  eventual 
results  of  such  negotiations. 

We  assume  an  architecture  in  which  each  domain  has 
a  central  controller  to  administer  its  local  policies  and  to 
negotiate  with  other  domains  on  its  behalf  (see  Figure  1). 


Domain  A 


Domain  B 


Figure  1:  Negotiation  in  multi-domain  networks. 

We  will  refer  to  such  networks  as  coalitions,  and  to  the  re¬ 
sources  shared  between  the  domains  in  the  network  as  coali¬ 
tion  resources. 

The  rest  of  this  paper  is  organized  as  follows:  Section  2 
introduces  some  basics  of  game  theory.  Section  3  introduces 
the  examples  we  will  use  to  illustrate  our  techniques,  and 
Sections  4  and  5  show  some  tools  to  analyze  the  examples 
and  predict  their  outcomes.  Section  6  concludes  the  paper. 

2.  Game  Theory 

Game  theory  [4,  5]  is  the  mathematical  study  of  con¬ 
flict  and  cooperation  between  intelligent  rational  entities 
(referred  to  as  players).  By  modeling  such  situations  math¬ 
ematically,  game  theory  can  predict  what  kinds  of  cooper¬ 
ation  will  arise  in  a  group  of  players  under  a  given  set  of 
conditions.  The  same  tools  can  also  be  applied  to  design 
games  that  lead  to  desirable  outcomes;  we  can  decide  what 
kinds  of  cooperation  we  would  like  to  see  in  a  group  of  play¬ 
ers,  and  devise  rules  for  their  interaction  such  that  it  will  be 
in  the  players’  best  interests  to  cooperate  with  each  other. 

A  game  theoretic  model  consists  of  a  set  of  players,  a  set 
of  possible  actions  for  each  player,  and  a  payoff  function, 
which  associates  each  combination  of  actions  by  the  play¬ 
ers  to  a  vector  of  rewards  to  the  players.  A  key  assumption 
is  that  all  players  are  rational  and  intelligent.  Rationality 
means  that  each  player  behaves  in  his  own  best  interest,  i.e. 
in  a  manner  calculated  to  increase  his  own  reward.  Intelli¬ 
gence  implies  that  players  are  capable  of  making  any  infer¬ 
ences  about  the  structure  and  dynamics  of  the  game  that  we 
are.  Thus  players  are  capable  of  deducing  what  their  opti¬ 
mal  strategies  are  in  any  given  situation,  as  well  as  what  the 


optimal  strategies  of  the  other  players  are. 

A  solution  concept  is  a  rule  that  associates  a  game  with 
a  set  of  outcomes.  Many  solution  concepts  have  been  pro¬ 
posed  in  the  literature.  Each  solution  concept  is  based  on 
a  set  of  axiomatic  requirements  that  the  solution  must  sat¬ 
isfy,  and  allows  us  to  make  predictions  about  some  aspect 
of  player  behavior  in  a  given  game.  Most  useful  solution 
concepts  also  provide  algorithms  to  compute  solutions  that 
satisfy  their  axioms  for  any  given  game. 

Noncooperative  games  are  those  in  which  every  player 
tries  to  increase  her  own  reward  independently  of  all  the 
other  players.  Cooperative  games,  on  the  other  hand,  are 
those  in  which  players  can  organize  themselves  into  groups 
to  achieve  a  common  goal  that  benefits  them  all.  Often,  co¬ 
operative  games  include  the  concept  of  transferable  utility 
-  there  exists  a  commodity,  such  as  money,  which  can  be 
freely  transferred  among  the  players  and  which  serves  as  a 
common  standard  of  value. 

Due  to  the  large  variety  of  possible  cooperation  struc¬ 
tures,  cooperative  games  are  often  richer  in  structure  and 
offer  deeper  insight  into  many  real-life  situations.  In  this 
paper  we  use  solution  concepts  from  both  noncooperative 
game  theory  and  cooperative  game  theory  to  reason  about 
the  problem  of  automated  policy  negotiation. 

As  we  will  show  in  this  paper,  policy  negotiations  can 
be  cast  as  games,  where  the  outcomes  of  the  game  are  the 
various  policies  that  may  be  agreed  on  through  negotiation. 
The  dynamics  of  the  game  depend  on  the  rules  of  negotia¬ 
tion,  and  we  will  disregard  these,  assuming  only  that  they 
are  flexible  enough  to  allow  the  participants  sufficient  op¬ 
portunity  to  communicate  with  each  other  and  arrive  at  a 
result.  We  also  assume  that  unanimous  agreement  of  all 
participants  is  required  to  terminate  a  negotiation.  We  will 
seek  solutions  of  these  games,  i.e.  we  will  try  to  make  pre¬ 
dictions  about  how  the  negotiations  will  end,  based  on  as¬ 
sumptions  about  what  kinds  of  negotiated  outcomes  are  de¬ 
sirable. 

3.  Two  Examples 

We  now  describe  the  two  examples  we  will  use  in  this  pa¬ 
per  to  illustrate  the  use  of  game  theory  in  analyzing  policy 
negotiation.  In  both  these  examples  we  assume  there  are  no 
external  rewards  or  costs  associated  with  the  problem;  that 
is,  there  is  no  compulsion  on  the  negotiators  to  reach  agree¬ 
ment  and  nothing  to  be  gained  from  an  agreement  except  for 
the  benefits  provided  by  the  agreement  itself.  This  assump¬ 
tion  does  not  always  hold  true  in  applications;  in  many  sit¬ 
uations,  the  decision  to  collaborate  has  already  been  made, 
and  negotiators  are  constrained  by  their  need  to  reach  agree¬ 
ment.  We  assume  an  absence  of  exogenous  rewards  or  costs 
for  simplicity;  any  quantifiable  exogenous  rewards  or  costs 


Figure  2:  Network  for  bandwidth  sharing  example. 

can  be  easily  incorporated  into  our  models  and  dealt  with 
using  the  same  mathematical  tools. 

3.1.  Bandwidth  Sharing 

Consider  the  network  shown  in  Figure  2.  There  are  two 
cities  X  and  Y,  and  three  Internet  providers  (labeled  D 1 ,  D2 
and  D3)  who  wish  to  send  data  between  them.  All  three  In¬ 
ternet  providers  have  many  customers,  with  large  amounts 
of  data  to  send,  and  so  would  like  to  obtain  as  much  capacity 
as  possible.  However,  no  provider  owns  a  communication 
link  that  goes  all  the  way  from  X  to  Y.  Instead  they  own 
links  that  interconnect  X  and  Y  with  other  cities,  labeled 
A  through  F.  If  the  providers  pool  their  resources,  they  can 
have  a  network  capable  of  sending  data  from  X  to  Y.  They 
wish  to  negotiate  a  policy  for  sharing  the  transmission  ca¬ 
pacity  between  X  and  Y  created  by  such  a  collaboration. 

A  number  of  features  of  this  problem  are  apparent  from 
the  figure: 

•  None  of  the  providers  can  send  any  data  from  X  to  Y 
on  its  own. 

•  No  data  can  be  sent  from  X  to  Y  without  Dl’s  cooper¬ 
ation. 

•  D1  and  D2  together  can  achieve  a  total  rate  of  1  Mbps. 

•  D1  and  D3  together  can  achieve  a  total  rate  of 
0.5  Mbps. 

•  All  the  providers  together  can  achieve  a  combined  rate 
of  3.5  Mbps. 

We  will  denote  by  Bv  and  /f  ,  the  share  of  the  aggre¬ 
gate  data  capacity  assigned  to  Dl,  D2  and  D3  respectively. 
In  later  sections  we  discuss  the  values  for  B l,  /i0  and  Bi 
that  are  likely  to  be  produced  by  a  negotiation  between  the 
providers. 

3.2.  Intelligence  Sharing 

In  this  example,  three  intelligence  agencies  (labeled  A1 
through  A3)  wish  to  share  intelligence  on  targets  of  their 
interest.  Each  agency  has  a  certain  number  of  sources,  and 


Table  1:  Parameters  for  intelligence  sharing  example. 


Agency 

No.  of  sources 

Probability  of  compromise 

A1 

7 

0.1 

A2 

4 

0.5 

A3 

10 

0.2 

can  give  the  other  agencies  access  to  as  many  of  its  sources 
as  it  wants.  However,  sharing  a  source  increases  the  proba¬ 
bility  that  it  will  be  compromised.  Each  agency  has  a  prob¬ 
ability  of  compromise  p{,  which  represents  the  danger  that  a 
source  accessible  to  this  agency  will  be  compromised.  This 
danger  applies  equally  to  all  sources  a  source  knows  about, 
including  those  it  owns.  Intelligence  from  a  compromised 
source  is  useless,  but  intelligence  from  all  uncompromised 
sources  is  equally  valuable.  The  probability  of  a  source  be¬ 
ing  compromised  due  to  one  of  the  agencies  is  assumed  to 
be  independent  of  all  other  compromises.  Table  1  shows  the 
initial  distribution  of  sources  and  the  compromise  probabil¬ 
ities.  Assume  that  the  compromise  of  a  source  cannot  be 
detected  by  the  agencies. 

Denote  by  «■  the  number  of  sources  owned  by  the  ;th 
agency,  and  let  s(-  be  the  number  of  sources  that  the  ;th 
agency  shares  with  the  others  (a  source  that  is  shared  must 
be  shared  with  all  the  other  agencies).  Let  v-,  the  reward  to 
the  ;th  agency  (also  known  as  the  value  derived  by  the  ;'th 
agency,  or  the  worth  of  the  ;th  agency),  be  equal  to  the  ex¬ 
pected  number  of  uncompromised  sources  that  the  agency 
has  access  to.  Then,  if  no  sharing  is  in  effect, 

vi  =  "/(l  ~Pi) 

If  sources  are  shared,  then  v-  depends  on  the  additional 
probability  of  compromise  due  to  the  other  domains  and  the 
number  of  sources  available  from  the  other  domains.  Thus 

vi  =  («,■-■*,■)( 1  -Pi)  +  (E^ona  ~Pl) 

j  l 

=  «/( 1  -  Pi)  +  (Es;)  rid  “  Pi)  -  si(l  -  Pi) 

j  I 

Therefore  each  agency  derives  a  benefit,  in  the  form  of 
an  additional  reward,  from  intelligence  sharing.  However, 
this  benefit  may  in  fact  be  negative  if  the  agency  exposes 
too  many  of  its  own  objects  to  a  threat  of  compromise.  In 
what  follows  we  show  how  game  theoretic  techniques  can 
be  used  to  predict  which  sharing  arrangements  are  likely  to 
arise. 

4.  Noncooperative  Game  Analysis 

A  fundamental  concept  in  game  theory  is  that  of  individ¬ 
ual  rationality.  This  is  the  simple  idea  that  no  player  will 
voluntarily  agree  to  an  arrangement  that  makes  him  worse 


off  than  he  was  before.  It  seems  logical  to  suppose  that  no 
domain  in  a  negotiation  would  agree  to  a  policy  that  was  not 
individually  rational  for  that  domain. 

In  practice,  individual  rationality  allows  us  to  reduce 
the  set  of  possible  outcomes  to  consider  in  a  negotiation, 
by  eliminating  those  outcomes  that  could  never  arise.  A 
sharing  arangement  is  individually  rational  for  a  player  if 
the  value  derived  by  that  player  under  the  arrangement  is 
greater  than  the  worth  of  the  player  without  the  arrange¬ 
ment. 

In  our  bandwidth  sharing  example,  none  of  the  providers 
could  send  any  data  from  X  to  Y  on  its  own.  The  ability 
to  send  any  data  at  all  would  be  regarded  as  an  improve¬ 
ment  by  each  of  the  domains.  Thus  the  individually  rational 
solutions  would  only  have  to  satisfy 

Z?i  >  0,  fi2>0,  fi3>0 

However,  in  the  intelligence  sharing  example,  the  con¬ 
straints  are  not  so  trivial.  Simple  algebra  shows  that  indi¬ 
vidually  rational  solutions  must  satisfy 

- - <0.4 

S1  +  S2+'S3 

S n. 

- 2 - <  0.72 

S1  +s2  +  s3 
S  Q 

- 2 - <  0.45 

H  +^2  +s3 

As  expected.  Agency  A2  needs  to  share  more  than  the 
others,  since  its  high  probability  of  compromise  makes  its 
sources  less  trustworthy.  On  the  other  hand.  Agency  Al, 
which  has  the  lowest  probability  of  compromise,  runs  a  sig¬ 
nificant  risk  by  sharing  its  sources,  and  so  has  less  incentive 
to  share. 

Individual  rationality  can  help  in  the  analysis  of  negoti¬ 
ation  by  weeding  out  irrational  alternatives.  This  can  iden¬ 
tify  games  in  which  no  individually  rational  solution  exists, 
which  would  mean  that  no  negotiation  would  succeed  with¬ 
out  the  introduction  of  some  outside  reward  or  compen¬ 
sation.  However,  many  games  (like  our  examples  above) 
have  large  numbers  of  individually  rational  solutions,  and 
in  these  cases  we  need  a  rule  to  pick  one  out  of  these  solu¬ 
tions. 

Nash  [6]  showed  that  under  mild  technical  conditions 
any  game  has  a  unique  solution,  known  as  the  Nash  bar¬ 
gaining  solution,  which  satisfies  the  following  axioms. 

•  Individual  rationality :  The  solution  is  individually  ra¬ 
tional  for  all  players. 

•  Symmetry :  If  two  players  have  identical  resources  and 
identical  reward  functions,  then  they  will  receive  equal 
treatment. 

•  Scale  Covariance :  Scaling  the  reward  functions  of  the 
players  by  transformations  of  the  form  ax  +  j3  where 


a  >  0  (a  and  p  can  be  chosen  differently  for  different 
players)  does  not  affect  the  solution  except  to  scale  it 
by  a  similar  transformation. 

•  Pareto  optimality:  No  other  solution  exists  which 
makes  all  the  players  better  off  than  under  this  solu¬ 
tion. 

•  Independence  from  unfavorable  alternatives:  Intro¬ 
ducing  a  number  of  inferior  outcomes  into  the  structure 
of  the  game  does  not  affect  the  solution. 

Nash  showed  that  the  above  axioms  are  satisfied  by  the 
individually  rational  solution  which  maximizes  the  product 
of  the  gains  made  by  each  player  as  a  result  of  coalition 
formation.  That  is,  if  ui  was  the  worth  of  the  zth  player  be¬ 
fore  coalition  formation  and  xi  is  his  value  after  the  coalition 
forms,  the  Nash  solution  is  given  by 

max  T\(xi~vi) 

all  possible  outcomes  • 

subect  to 

xi  >  v-  Vi 

For  the  bandwidth  sharing  example,  the  Nash  bargain¬ 
ing  solution  is  obtained  by  maximizing  the  product 
subject  to  B j  +B2  +  B3  =  3.5Mbps,  which  gives 

3.5 

B  j  =  B0  =  B3  =  Mbps 

The  equal  division  reflects  the  fact  that  any  provider 
which  unilaterally  breaks  away  from  the  coalition  will  not 
be  able  to  send  any  data  between  X  and  Y,  and  so  in  a  sense 
all  the  providers  need  the  coalition  equally. 

For  the  intelligence  sharing  example,  the  Nash  bargain¬ 
ing  solution  is  obtained  by  maximizing 

(s'  -  0.9s1)(s'  -  0.5 s2)(s'  -  0.8 s3) 

where 

s'  =  0 . 3  6  ( x  +  s2  +  s3) 

subject  to 

<7,  s2  <  4,  s3  <  10 

which  gives  us 

Sj  =4,  s2  =  4,  s3=5 

Thus  A2,  which  has  the  highest  probability  of  compro¬ 
mise,  must  share  as  many  sources  as  it  can,  and  the  other 
agencies  will  not  share  all  their  sources  with  A2. 


5.  Cooperative  Games 

The  analysis  in  Section  4  has  one  shortcoming:  it  as¬ 
sumes  that  if  negotiations  between  the  players  fail,  then  no 
coalition  is  formed  at  all.  However,  in  real  life,  it  is  always 
possible  for  some  of  the  players  to  negotiate  with  each  other 
and  form  a  smaller  coalition,  leaving  out  some  players,  if 
they  find  that  this  is  more  favorable  to  them.  Thus,  instead 
of  choosing  between  forming  the  largest  possible  coalition 
and  no  coalition  at  all,  players  can  choose  between  all  the 
possible  subsets  of  the  set  of  players  to  form  a  coalition. 
Cooperative  game  theory  is  the  study  of  games  where  the 
possibility  for  such  coalition  formation  exists. 

A  cooperative  game  consists  of  a  set  of  players,  and  a 
characteristic  function  that  assigns  a  value  to  each  subset  of 
this  set  of  players.  The  set  of  players  is  known  as  the  grand 
coalition,  and  its  subsets  are  known  as  coalitions.  The  value 
of  a  coalition  is  interpreted  as  the  payoff,  or  total  reward, 
that  the  players  in  that  coalition  can  achieve  by  cooperat¬ 
ing  with  each  other.  The  game  is  known  as  a  TU  game  (or 
game  with  Transferable  Utility)  if  the  players  in  a  coalition 
are  free  to  distribute  their  payoff  among  themselves  in  any 
way  they  choose;  if  players  do  not  have  such  control  over 
the  distribution  of  payoffs,  we  have  a  game  with  Nontrans- 
ferable  Utility  (or  NTU  game). 

The  best-known  solution  concept  for  cooperative  games 
is  the  core.  The  core  is  the  set  of  solutions  that  give  to  every 
possible  coalition  at  least  as  much  payoff  as  that  coalition 
could  get  if  it  acted  without  the  support  of  the  other  players. 
Thus  the  core  is  a  measure  of  stability;  if  the  players  in  a 
game  agree  to  split  their  profits  according  to  a  core  distri¬ 
bution,  then  no  player  or  set  of  players  will  find  it  in  their 
interest  to  secede  from  the  grand  coalition. 

Before  we  define  the  cores  for  our  examples,  we  must 
define  the  characteristic  function  for  each  of  our  examples. 
In  other  words,  we  must  define  what  we  mean  by  the  worth 
of  a  coalition  (as  opposed  to  the  worth  of  a  single  player). 
For  the  bandwidth  sharing  example,  this  is  easy.  We  define 
the  worth  of  any  coalition  as  the  maximum  transmission  ca¬ 
pacity  the  members  of  that  coalition  can  obtain  without  help 
from  the  remaining  member(s). 

For  the  intelligence  sharing  example,  the  value  of  a  coali¬ 
tion  is  harder  to  define.  Defining  the  value  as  the  expected 
number  of  uncompromised  sources  available  to  the  coali¬ 
tion  is  not  quite  satisfactory,  as  it  disregards  any  sharing  of 
sources  that  may  take  place.  Therefore  we  define  the  value 
of  any  coalition  as  the  sum  of  the  values  in  the  Nash  bar¬ 
gaining  solution  for  that  coalition.  For  example,  the  value 
of  the  coalition  {A1,A2}  would  be  the  sum  of  the  values  of 
A1  and  A2  when  they  implement  the  Nash  bargaining  so¬ 
lution  for  the  coalition  consisting  of  A1  and  A2  only.  We 
contend  that  this  is  a  reasonable  definition,  because  if  a  A1 


and  A2  are  to  share  any  of  their  sources  with  A3,  they  will 
only  do  so  if  they  can  get  a  better  deal  for  themselves  than 
they  could  without  A3. 

With  these  definitions,  the  core  for  the  bandwidth  shar¬ 
ing  example  is  the  (fairly  large)  set  of  bandwidth  allocations 
that  satisfy  the  inequalities 


B  i 

> 

0 

b2 

> 

0 

B, 

> 

0 

B\  +B2 

> 

1 

+  B ^ 

> 

0.5 

B^  +  Z?2  ^3 

= 

3.5 

For  the  intelligence  sharing  example,  the  core  is  charac¬ 
terized  by 


> 

6.3 

^2 

> 

2 

^3 

> 

8 

V1+V2 

> 

9.9 

F1+V3 

> 

24.48 

y2  +  y3 

> 

11.2 

It  turns  out  that  there  is  no  intelligence  sharing  arrange¬ 
ment  (i.e.  no  values  of  <  7,  s2  <  4  and  s3  <  10)  for  which 
all  the  above  inequalities  hold.  In  other  words  the  core  of 
the  intelligence  sharing  example  is  empty. 

As  seen  from  our  examples,  the  core  of  a  game  may  ei¬ 
ther  be  empty  or  so  large  as  to  be  of  little  value  in  predict¬ 
ing  player  behavior.  In  the  latter  case,  it  is  reasonable  to 
expect  that  players  will  look  for  a  core  allocation  that  is  the 
most  efficient  in  some  sense.  Two  solution  concepts  which 
emphasize  fairness  and  efficiency  are  the  nucleolus  and  the 
Shapley  value.  They  are  both  unique  and  defined  for  large 
classes  of  cooperative  games. 

The  nucleolus  [7]  is  the  solution  that  distributes  payoffs 
in  such  a  way  as  to  lexicographically  minimize  the  dissat¬ 
isfactions  of  all  the  coalitions  in  the  grand  coalition.  The 
dissatisfaction  of  a  coalition  is  the  reduction  in  its  payoff  as 
a  result  of  joining  the  grand  coalition.  Equivalently,  the  nu¬ 
cleolus  maximizes  the  benefit  to  the  least  rewarded  member 
of  the  coalition.  Thus  the  nucleolus  tries  to  be  fair  to  all 
the  players,  and  is  likely  to  be  the  outcome  of  a  negotia¬ 
tion  where  the  participants  consider  fairness  to  be  impor¬ 
tant.  The  nucleolus  can  be  shown  to  lie  in  the  core  if  the 
core  is  nonempty.  The  nucleolus  is  also  the  unique  solution 
having  the  following  properties: 

•  Anonymity.  The  solution  is  independent  of  the  labeling 
of  the  players. 

•  Scale  Covariance :  Scaling  the  reward  functions  of  the 
players  by  transformations  of  the  form  ax  +  ft  where 


a  >  0  (a  and  [5  can  be  chosen  differently  for  different 
players)  does  not  affect  the  solution  except  to  scale  it 
by  a  similar  transformation. 

•  Imputation  Saving  Reduced  Game  Property.  Loosely 
speaking,  this  means  that  if  a  subset  of  the  grand  coali¬ 
tion  is  prevented  from  participating  in  the  negotiation 
but  is  still  given  a  choice  of  whether  to  cooperate  or 
not,  the  payoff  to  the  remaining  players  is  not  affected. 

The  problem  of  finding  the  nucleolus  for  the  bandwidth 
sharing  problem  can  be  reduced  to  a  linear  programming 
problem.  Since  it  is  a  lexicographic  minimization,  in  the 
worst  case  we  have  to  solve  as  many  linear  programs  as 
there  are  possible  coalitions  (i.e.  2N ,  where  N  is  the  number 
of  players).  In  practice,  however,  the  nucleolus  is  usually 
reached  after  solving  a  small  number  (often  one  or  two)  of 
these  linear  programs. 

For  the  bandwidth  sharing  game,  the  nucleolus  turns  out 
to  be 

3.5 

B  j  =  B0  =  B3  =  Mbps 

So  in  this  case  the  nucleolus  is  the  same  as  the  Nash 
bargaining  solution.  It  is  surprising  that  even  though  D1 
holds  a  “veto  power”,  the  nucleolus  gives  an  equal  share  of 
the  bandwidth  to  all  the  providers.  This  is  only  true  for  this 
example  because  no  two  providers  can  obtain  a  significant 
amount  of  bandwidth  by  excluding  the  third  provider.  For 
example,  if  the  link  between  D  and  E  were  owned  by  D2 
instad  of  by  D3,  the  Nash  bargaining  solution  would  not 
change,  but  the  nucleolus  would  be 

=  1.46  Mbps 

B2  =  1.29  Mbps 
B3  =  0.75  Mbps 

For  the  intelligence  sharing  example,  the  nucleolus  turns 
out  to  be 

Si  =2,  s2  =  4,  s3  =  0 

One  reason  we  get  such  pessimistic  results  in  the  intelli¬ 
gence  sharing  example  is  that  our  game  model  is  not  super¬ 
additive.  That  is,  the  union  of  two  disjoint  coalitions  does 
not  necessarily  produce  a  coalition  with  a  value  greater  than 
the  sum  of  the  values  of  the  original  coalitions. 

The  emptiness  of  the  core  in  the  intelligence  sharing  ex¬ 
ample  implies  that  the  power  structure  of  the  game  does 
not  clearly  point  to  a  single  result.  In  this  case  the  struc¬ 
ture  of  the  negotiation  and  the  attitude  of  the  negotiators 
(i.e.  factors  such  as  risk-aversion)  have  a  strong  influence 
on  the  outcome.  Any  detail  in  the  negotiation  mechanism 
that  tends  to  steer  the  players  towards  a  certain  outcome 
could  play  a  major  role  in  determining  the  result. 


The  Shapley  value  [8]  assigns  payoffs  to  players  de¬ 
pending  on  their  average  marginal  contribution  to  the  grand 
coalition.  Therefore,  it  favors  players  who  play  a  larger  role 
in  the  success  of  the  grand  coalition  over  smaller  players, 
and  is  indicative  of  each  player’s  power  in  the  coalition.  The 
Shapley  value  is  the  unique  solution  satisfying  the  axioms 
of 

•  Anonymity :  The  solution  is  independent  of  the  labeling 
of  the  players. 

•  Carrier  (a.k.a.  Dummy  player  property ):  A  player 
who  contributes  nothing  to  any  coalition  does  not  get 
any  payoff. 

•  Linearity.  For  any  two  games  defined  over  the  same 
player  set,  the  solution  of  the  sum  game  is  the  sum  of 
the  solutions  of  the  individual  games. 

Computationally,  the  Shapley  value  of  a  player  i  is  given 

by 

»,=  £('  — 1)!!"—',>!(v(5)  —  ,,(5{,») 

SCN  "  ■ 

where  N  is  the  grand  coalition,  n  is  the  number  of  players 
in  N ,  s  is  the  number  of  players  in  S,  and  v(S)  is  the  value 
of  coalition  5. 

The  Shapley  values  for  the  bandwidth  sharing  example 
reflect  the  imbalance  of  power  among  the  providers.  The 
Shapley  values  are 
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B\  =  p  Mbps,  B2  =  —  Mbps ,  B3  =  —  Mbps 

Thus  D1  receives  the  most  bandwidth,  because  of  its  vi¬ 
tal  role,  and  D3  receives  the  least  due  to  its  small  contribu¬ 
tion.  Also  note  that  the  Shapley  value  lies  within  the  core. 

For  the  intelligence  sharing  example,  the  Shapley  values 
are 

Vj  =  9.91,  V2  =  0.55,  V3  =  10.84 

This  bears  out  our  intuition  that  in  negotiations,  A2  is  in 
a  weak  position  because  it  has  less  sources  than  the  others, 
and  of  less  reliability.  However,  due  to  the  emptiness  of  the 
core,  the  Shapley  values  are  somewhat  less  informative  than 
in  the  bandwidth  sharing  example  -  they  give  us  information 
about  the  distribution  of  power,  but  the  actual  outcome  of  a 
negotiation  still  depends  on  the  details  of  negotiation. 

6.  Conclusion 

The  outcome  of  a  policy  negotiation  between  au¬ 
tonomous  domains  is  often  predictable,  given  some  knowl¬ 
edge  of  the  power  structure  and  the  criteria  used  by  nego¬ 
tiators  to  evaluate  potential  outcomes.  The  techniques  used 
in  such  predictions  can  also  be  used  in  automated  negoti¬ 
ation  agents,  reducing  the  time  required  to  set  up  dynamic 


coalitions  for  online  collaboration.  Even  if  total  automation 
is  not  desirable,  these  techniques  can  be  useful  as  decision¬ 
making  aids  for  human  administrators  in  finding  a  shared 
access  control  policy.  Game  theory  provides  valuable  math¬ 
ematical  tools  for  such  applications. 

However,  it  is  clear  from  our  intelligence  sharing  exam¬ 
ple  that  building  game  theoretic  models  of  negotiations  is 
not  always  straightforward.  The  resulting  models  may  turn 
out  to  have  undesirable  properties,  such  as  empty  cores.  It  is 
not  yet  clear  what  models  are  appropriate  for  more  realistic 
applications. 

All  the  models  in  this  paper  assumed  perfect  knowledge 
-  all  players  knew  the  resources  and  reward  functions  of  all 
other  players.  Modeling  of  negotiations  where  each  nego¬ 
tiator  has  only  partial  knowledge  of  other  negotiators’  re¬ 
sources  and  reward  functions  is  an  interesting  area  for  fu¬ 
ture  research,  as  is  the  design  of  effective  negotiating  mech¬ 
anisms  and  strategies  in  this  case. 
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